CVE-2025-47981: Wormable Windows SPNEGO Flaw Tops Microsoft's July 2026 Patch Tuesday

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2025-47981, a CVSS 9.8 heap-based buffer overflow in Windows SPNEGO Extended Negotiation, patches today as part of Microsoft's July 2026 Patch Tuesday release alongside 126 additional vulnerabilities — and security researchers rate exploitation as "more likely" on any Windows system reachable over SMB, RDP, HTTP, or SMTP.
CVE-2025-47981 is a heap-based buffer overflow in the NEGOEX protocol, the internal extension layer of Windows SPNEGO authentication. SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) is the handshake layer every Windows service uses to negotiate an authentication protocol before a session starts. SMB file shares, Remote Desktop Protocol sessions, IIS web services, and SMTP relay all pass through SPNEGO. When NEGOEX processes a specially crafted authentication message, an attacker overwrites memory structures and redirects execution to shellcode, gaining SYSTEM-level code execution on the target without providing credentials or waiting for user interaction.
The wormable potential of Windows SPNEGO CVE-2025-47981 places it in the same threat class as EternalBlue, the SMB flaw that powered the 2017 WannaCry global outbreak. A single host executing the exploit over port 445 can propagate automatically across a flat corporate network, compromising adjacent machines with no human involvement. Researchers at ZeroPath and SOC Prime both confirm the attack vector requires only network reachability and a single crafted packet. Microsoft itself classifies exploitation as "more likely," acknowledging that reverse-engineering the July patch to develop a working exploit is well within reach for the threat actors now analyzing the patch diff.
Apply the July 2026 cumulative Windows update on all endpoints and servers today. Prioritize internet-facing systems, domain controllers, and every Windows Server running SMB or RDP. Before patching, audit Kerberos RC4 service accounts — today's update permanently removes the RC4 hardening rollback option and any service account still requesting RC4 Kerberos tickets will fail to authenticate post-patch.
How Does the CVE-2025-47981 Windows SPNEGO Exploit Work?
CVE-2025-47981 is a heap-based buffer overflow (CWE-122) in the NEGOEX protocol extension layer of Windows SPNEGO authentication, discovered by security researcher Yuki Chen alongside anonymous contributors and reported to Microsoft through coordinated disclosure.
SPNEGO is the mechanism Windows uses when two systems need to agree on how to authenticate before exchanging data. When a Windows client connects to a server over SMB, RDP, HTTP, or SMTP, both sides negotiate which authentication protocol to use — Kerberos, NTLM, or another GSSAPI mechanism — via SPNEGO. NEGOEX is the extension of this negotiation that handles more complex authentication scenarios, and it processes authentication metadata messages before any user identity is established.
The overflow triggers when NEGOEX parses a specially crafted NEGOEX authentication message. The attacker sends a packet designed to overwrite heap memory beyond the allocated buffer for the message structure. The overwritten memory contains function pointers or control-flow data, and the attacker controls the overwrite content well enough to redirect execution to shellcode. Code runs at SYSTEM level because NEGOEX processing occurs in a privileged context within the Windows Local Security Authority Subsystem (LSASS) and related authentication services.
The exploit path requires no prior authentication. The NEGOEX exchange happens at the very start of the session negotiation, before any credentials are presented. SMB port 445, RDP port 3389, HTTP and HTTPS on ports 80 and 443, and SMTP on port 25 all initiate SPNEGO negotiation — any of these services is a valid exploitation path on an unpatched system. An attacker with network reach to any of these ports can deliver the payload without an account, without a password, and without any action by the user on the target machine.
Which Windows Versions Are Affected by CVE-2025-47981?
CVE-2025-47981 affects Windows systems broadly across both client and server product lines. Every Windows 10 installation from version 1607 onward is in scope, covering all current and recently end-of-life builds through 22H2. Windows 11 versions 22H2, 23H2, and 24H2 are affected. On the server side, the vulnerability reaches from Windows Server 2008 R2 through Windows Server 2025, including Windows Server 2016, 2019, and 2022 and all Server Core installation variants. More than 33 distinct Windows and Server configurations are confirmed affected across x64, x86, and ARM64 architectures.
The risk is elevated on systems where the Group Policy setting "Network security: Allow PKU2U authentication requests to this computer to use online identities" is enabled. This setting, enabled by default on many Windows deployments, broadens the NEGOEX attack surface by permitting peer-to-peer authentication that activates the vulnerable NEGOEX code path on endpoints that might otherwise not expose it.
Scope of exposure: any Windows 10 or Server 2008 R2 or later system with TCP port 445, 3389, 80, 443, or 25 reachable from an untrusted network is a potential target. Domain controllers running Windows Server 2008 R2 through 2025 are particularly high-value targets because a SYSTEM shell on a domain controller gives an attacker immediate access to all Active Directory credentials and every system trusting that DC. Internet-facing RDP jump boxes, VPN concentrators running Windows, and SMB-accessible file servers represent the highest-priority patching targets given their direct network exposure.
Organizations that have not applied cumulative Windows updates since July 8, 2025 should treat today's patch as closing an actively monitored gap — researchers and threat actors alike have had twelve months to study the original patch for exploitation paths.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Why Researchers Compare CVE-2025-47981 to WannaCry
Security researchers describing Windows SPNEGO CVE-2025-47981 as "wormable" are invoking a specific threat model: an exploit that, once deployed on a single machine, propagates autonomously to adjacent systems without any additional attacker involvement. EternalBlue, the NSA-developed SMB exploit leaked by Shadow Brokers in April 2017, was wormable in exactly this way. WannaCry infected 230,000 machines across 150 countries in 72 hours, crippling the UK National Health Service, Germany's Deutsche Bahn, Spain's Telefonica, and dozens of critical infrastructure operators. NotPetya followed within weeks using the same propagation mechanism and caused over $10 billion in damages globally.
CVE-2025-47981 shares the key structural characteristics that made EternalBlue so devastating: it operates over ubiquitous Windows services (SMB, RDP), requires no authentication or user interaction, achieves SYSTEM-level code execution, and the attack surface is every Windows machine reachable on the network. A threat actor who develops a working exploit could deploy ransomware that encrypts every unpatched Windows machine across a corporate network in minutes, following the exact WannaCry playbook.
Microsoft itself rates exploitation as "more likely," which is the MSRC's assessment that a reliable, weaponized exploit is achievable within 30 days of patch release. Given that the original CVE-2025-47981 patch was released in July 2025, that 30-day window has long closed — and threat actors who tracked this vulnerability have had a full year to develop exploit tooling. The researcher "Nightmare-Eclipse," who has released six Windows zero-days since April 2026 including BlueHammer, RedSun, and GreenPlasma, publicly threatened a "bone shattering" exploit release timed specifically for today's Patch Tuesday, adding immediate urgency to the patching window.
Unpatched Windows Server environments reachable via SMB should be treated as actively at risk, not theoretically at risk.
“If you have Windows servers exposed to a network — and you do — this is an emergency patch.”
Byteiota Patch Tuesday July 2026 Analysis
Kerberos RC4 Hardening: The Second Critical Change in July 2026 Patch Tuesday
The July 2026 cumulative update permanently removes the Group Policy rollback control for Kerberos RC4 encryption hardening. RC4 is a legacy cipher that has been cryptographically broken for years, and Microsoft has been progressively disabling it from Kerberos authentication since 2022. Phase 2 of that enforcement goes permanent today, July 14, 2026, meaning organizations lose the ability to roll back RC4 behavior via Group Policy after applying today's patches.
Any service account, computer account, or Kerberos service that explicitly requests RC4 Kerberos tickets will fail to authenticate after today's update is deployed. This is not a vulnerability fix but an enforcement action — and it will cause authentication failures in environments that have not completed the RC4 migration.
Before applying July 2026 patches, audit every service account and computer account in Active Directory for RC4 Kerberos ticket requests. Run the following PowerShell to identify accounts still requesting RC4:
Get-ADUser -Filter * -Properties msDS-SupportedEncryptionTypes | Where-Object {$_.'msDS-SupportedEncryptionTypes' -band 4} | Select-Object Name, SamAccountName
Service accounts flagged by this query must be updated to support AES-128 or AES-256 Kerberos encryption before you apply today's patches, or those services will stop authenticating. Affected services include legacy SQL Server instances, older IIS application pools, and any third-party application using Windows Integrated Authentication that has not been updated to modern Kerberos encryption.
Patch CVE-2025-47981 first. Complete the RC4 audit in parallel. The two requirements do not conflict if sequenced correctly: audit RC4 dependencies, remediate legacy service accounts, then deploy the July cumulative update. Patching without the RC4 audit first risks authentication outages across business-critical services in the hours after deployment.
CVE-2025-47981 Detection: Identifying Exploitation Attempts Before They Succeed
CVE-2025-47981 exploits occur at the NEGOEX authentication layer, before any application-level session is established. Standard authentication logs do not record pre-authentication NEGOEX traffic, which means exploitation attempts will not appear in Windows Security Event Log entries for account logons (Event IDs 4624/4625). Detection requires network-layer visibility or LSASS-level monitoring.
Network detection: configure IDS/IPS rules to flag malformed NEGOEX messages arriving on TCP port 445 (SMB), 3389 (RDP), 80/443 (HTTP/S), and 25 (SMTP). A NEGOEX message with an oversized or structurally invalid authentication token field is the primary indicator. SOC Prime published detection rules for CVE-2025-47981 that translate into Sigma format for deployment to Splunk, Microsoft Sentinel, and other SIEM platforms.
LSASS process monitoring: Windows Defender Credential Guard isolates LSASS from most process-injection attacks, but CVE-2025-47981 targets the authentication layer before Credential Guard's protection boundary. Monitor for unexpected child processes spawned from lsass.exe or svchost.exe hosting the SPNEGO provider. A successful exploit producing a SYSTEM shell will typically spawn cmd.exe or powershell.exe as a child of lsass.exe — flag this immediately.
SMB connection anomalies: a worm exploiting CVE-2025-47981 will generate rapid sequential TCP 445 connection attempts from recently compromised hosts to all adjacent RFC-1918 addresses. Lateral movement traffic from endpoint workstations to port 445 across the subnet is a secondary indicator of active exploitation in progress. Alert on workstation-to-workstation SMB connection spikes in environments where this traffic is not expected.
The SharePoint RCE CVE-2026-45659 exploitation pattern demonstrated that detection at the network layer is fastest — SIEM correlation of authentication failures lags behind active exploitation by minutes.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
How to Patch CVE-2025-47981 Before End of Day
Microsoft released the July 2026 cumulative update today through Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog. The update addresses CVE-2025-47981 alongside 126 additional vulnerabilities. Complete the Kerberos RC4 audit before deploying to avoid authentication outages.
1. Audit Kerberos RC4 service accounts before patching
Run: Get-ADUser -Filter * -Properties msDS-SupportedEncryptionTypes | Where-Object {$_.'msDS-SupportedEncryptionTypes' -band 4} | Select-Object Name, SamAccountName in PowerShell to identify accounts still requesting RC4 Kerberos tickets. Update flagged accounts to AES-128 or AES-256 before deploying today's update.
2. Deploy the July 2026 cumulative update via Windows Update
On managed endpoints and servers: open Settings > Windows Update > Check for updates. Install the July 2026 cumulative update (KB number confirmed on the Microsoft Update Catalog). Restart required to complete installation.
3. Deploy via WSUS or Microsoft Update Catalog for unmanaged systems
For servers not connected to Windows Update: download the July 2026 Servicing Stack Update and cumulative update for the target Windows version from catalog.update.microsoft.com. Install the Servicing Stack Update first, then the cumulative update, and restart.
4. Prioritize domain controllers, RDP servers, and internet-facing SMB hosts
Patch Windows Server domain controllers first — a compromised DC gives an attacker access to all Active Directory credentials. RDP jump boxes and any Windows system with port 445 or 3389 reachable from outside the perimeter are the highest-risk targets for immediate exploitation.
5. Block SMB and RDP from the internet at the perimeter firewall
TCP port 445 (SMB) and port 3389 (RDP) should never be directly reachable from the public internet. If either port is currently exposed, block it at the perimeter firewall immediately — this mitigates the network-based attack vector for CVE-2025-47981 while patching completes.
6. Enable Windows Defender Firewall rules to limit NEGOEX exposure on endpoints
On workstations not requiring inbound SMB, disable or restrict inbound TCP 445 via Windows Defender Firewall with Advanced Security. This limits worm propagation lateral movement even if a neighbor host is compromised before patching completes.
7. Verify patch deployment with Windows Update compliance reporting
After deployment, run: Get-WindowsUpdateLog in PowerShell and confirm the July 2026 cumulative update is listed as installed. For WSUS environments, check the WSUS console for the July 2026 cumulative update installation status across all managed devices.
Why Windows SPNEGO CVE-2025-47981 Demands Action for Your Organization Today
CVE-2025-47981 is not a theoretical risk. Microsoft rates exploitation as "more likely," meaning their internal assessment is that a reliable weaponized exploit is achievable with the skills and resources available to established threat actors. The original patch for this vulnerability was released a year ago, in July 2025. Any organization that has not applied that patch — or any organization that has fallen behind on cumulative updates — is running a year-old CVSS 9.8 wormable hole in their Windows estate right now.
Ransomware groups have consistently targeted wormable Windows vulnerabilities. The BlueHammer CVE-2026-33825 active exploitation campaign demonstrated that ransomware operators integrated a weaponized Windows exploit into their lateral movement toolkit within weeks of public disclosure. An exploit for CVE-2025-47981 gives a ransomware operator the ability to propagate encryption across every unpatched Windows machine on a network segment without needing to crack a single credential.
The Kerberos RC4 hardening enforcement today adds a second dimension of urgency. Organizations that apply today's patches without first completing the RC4 audit face authentication outages in business-critical services hours after deployment. But organizations that delay patching to complete the RC4 audit are extending their CVE-2025-47981 exposure. The correct sequence is to audit RC4 service accounts now, remediate any flagged accounts, and deploy the July 2026 cumulative update before end of business today.
A wormable CVSS 9.8 Windows vulnerability with a 12-month exploitation window and a researcher threatening new zero-day releases today is the clearest possible signal that waiting until next patch cycle is not an option.
The bottom line
Windows SPNEGO CVE-2025-47981 (CVSS 9.8) is the most dangerous vulnerability in Microsoft's July 2026 Patch Tuesday — wormable, unauthenticated, and exploitable via SMB and RDP with no user interaction. Three takeaways: every Windows 10 and Server 2008 R2 or later system with a reachable SMB or RDP port is in scope regardless of other network controls; exploitation has been rated "more likely" by Microsoft, meaning a reliable exploit exists or is imminent; and failing to audit Kerberos RC4 service accounts before patching will cause authentication outages post-deployment. Apply the July 2026 cumulative update today, DC-first, after completing the RC4 audit.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is CVE-2025-47981?
CVE-2025-47981 is a CVSS 9.8 heap-based buffer overflow in the Windows SPNEGO Extended Negotiation (NEGOEX) authentication mechanism. An unauthenticated remote attacker sends a specially crafted authentication message to any service using Windows SPNEGO, including SMB, RDP, HTTP, or SMTP, to trigger a memory overflow that executes code at SYSTEM level. No credentials and no user interaction are required. Microsoft patched the vulnerability in July 2025 and it is featured as the critical priority in July 2026 Patch Tuesday analysis.
Is CVE-2025-47981 being actively exploited in the wild?
No confirmed active exploitation in the wild has been reported as of July 14, 2026. However, Microsoft rates the vulnerability as 'exploitation more likely,' their assessment that a reliable weaponized exploit is achievable within 30 days of patch release. Since the original patch was released in July 2025, that window has long passed. Security researcher Nightmare-Eclipse publicly threatened new Windows exploit releases specifically timed for July 14, 2026 Patch Tuesday, adding urgency to the patching timeline.
Which Windows versions are affected by CVE-2025-47981?
CVE-2025-47981 affects Windows 10 version 1607 and later, Windows 11 versions 22H2, 23H2, and 24H2, and Windows Server from 2008 R2 through Server 2025, including Server Core installations. More than 33 distinct Windows configurations across x64, x86, and ARM64 architectures are confirmed vulnerable. Risk is elevated on systems where Group Policy enables PKU2U authentication requests, which is the default setting on many Windows deployments.
What is SPNEGO and why does it matter for Windows security?
SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) is the authentication handshake layer Windows uses before every authenticated session. When a Windows client connects to an SMB share, an RDP server, or an IIS web application, SPNEGO negotiates which authentication protocol both sides will use — typically Kerberos or NTLM. NEGOEX is the extension of SPNEGO that handles complex negotiation scenarios. Because SPNEGO runs before any user identity is established, a vulnerability in this layer is exploitable without credentials and affects every Windows service that supports authenticated connections.
Why is CVE-2025-47981 called wormable?
A wormable vulnerability can be exploited to self-propagate across connected systems without any attacker interaction after initial deployment. CVE-2025-47981 meets this definition because the exploit works over SMB port 445 with no authentication, no user interaction, and achieves SYSTEM-level code execution. Malware placed on one compromised host can automatically scan adjacent IP addresses for port 445, deliver the exploit payload, gain SYSTEM access, and repeat the process on the newly compromised host. EternalBlue and WannaCry demonstrated in 2017 how fast this propagation model scales across corporate networks.
How do I detect CVE-2025-47981 exploitation attempts?
Monitor for malformed NEGOEX messages on TCP ports 445, 3389, 80, 443, and 25 using IDS/IPS rules. At the host level, alert on unexpected child processes spawned from lsass.exe or svchost.exe, particularly cmd.exe or powershell.exe. A workstation initiating rapid sequential SMB connections to all adjacent RFC-1918 addresses is a secondary indicator of worm propagation in progress. SOC Prime has published Sigma-format detection rules for CVE-2025-47981 compatible with Splunk, Microsoft Sentinel, and other SIEM platforms.
What is the Kerberos RC4 hardening change in July 2026 Patch Tuesday?
The July 2026 cumulative Windows update permanently removes the Group Policy rollback control for Kerberos RC4 encryption. RC4 is a broken legacy cipher that Microsoft has been progressively deprecating from Kerberos authentication since 2022. After applying today's update, any service account or computer account that still requests RC4 Kerberos tickets will fail to authenticate. Organizations must audit Active Directory for RC4-dependent service accounts and update them to AES-128 or AES-256 before applying today's patches to avoid authentication outages in business-critical services.
How do I patch CVE-2025-47981 immediately?
Apply the July 2026 cumulative Windows update through Windows Update, WSUS, or the Microsoft Update Catalog before end of day. Before patching, audit Kerberos RC4 service accounts using PowerShell: Get-ADUser -Filter * -Properties msDS-SupportedEncryptionTypes to identify accounts still requesting RC4. Patch domain controllers first, then internet-facing Windows servers with SMB or RDP exposed. Block TCP port 445 and 3389 at the internet perimeter if those ports are currently reachable from outside your network, as a temporary mitigation while patching completes.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
